No reviewers
Labels
No Label
bug
build
dependencies
developers
documentation
duplicate
enhancement
formatting
invalid
legal
mobile
obsolete
packaging
performance
protocol
question
refactoring
regression
security
test
translation
usability
wontfix
No Milestone
No project
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Bitmessage/PyBitmessage-2024-11-28#262
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "keyfile_perm_fix"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This spits out a warning to the console, but ideally it would also
issue a warning to the GUI for those who didn't start it from the
console. N.B. the warning is a one shot thing, since it fixes the
problem in a way essentially undetectable in the future, so it
should be done right if it is to be done at all.
Maybe we should even disable all keys automatically if the keyfile
is found in an insecure state.
I will be able to test this more extensively Thursday and I would expect to merge it then.
Thank you
@Atheros1, I'm really thinking this should disable all keys before it gets merged with master. It's early in the lifetime of the project so nobody should be using this for highly sensitive communication yet, and manually enabling keys people don't consider sensitive or compromised is a pain, but I think it's worth sticking to paranoid practices from the beginning.
I've tested a compiled EXE on Windows and found no problems although looking at the code, it looks like it doesn't do anything special in Windows, does it?
@fiatflux Obviously it is good to be paranoid about security but we can't disable people's addresses without telling them and letting them re-enable them. This will cause people to miss messages (until they are retransmitted). But it isn't just that almost no one will notice that they need to re-enable them, it is that of those who find out, no one won't re-enable their addresses which means that it will have provided no attack mitigation in the first place.
Sorry for the delay. I'm back to having a bit of free time and network access.
Indeed, the important bits of this don't touch Windows.
I suppose you're right about how the users would react to this. The poses the question, though: what is the right way to revoke keys? (For future consideration.)
I have updated this branch to reflect your input. FYI, I don't want to redo logging here so this branch now contains commits from fiatflux:no_propagate_loggers, which has its own pull request.